VPNV4 route denied by iBGP peer

Answered Question
Nov 24th, 2007
User Badges:

Not sure why the VPNv4 route is denied by BGP peer. Any help is appreciated.


Using Cisco 2811, 12.4(7a).


iBGP speaker (PE router) sends a VPNV4 route, but peer (P or PE router) denies the route with following error (debug message):


DENIED due to: extended community not supported;


The BGP configuration is (identical config on both speakers):

router bgp 1

no sync

neighbor 2.2.2.2 remote-as 1

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community extended

exit-address-family



Correct Answer by swaroop.potdar about 9 years 7 months ago

Gramu, Vikas,


If your P router in question has anything to do with VPNv4 sessions or messages received then technically its not a P router but a PE router. Even though you may name it as a P router.


Also to troubleshoot your traffic switching problem, probably you may want to look at your LSP being functional for only the IGP labels, as P routers need not have any VPN information to switch traffic between PE's for end CE's. Just the IGP label for the next hop is enough.


Having said that, "no bgp default route-target filter" has nothing to do with inter-as, as none of the inter-as options except one option requires this command.


This command was introduced to nullify the basic BGP default in IOS which was introduced to conserve memory.


As any PE router which does have have a import RT configured should not store the received routes in the updates to conserve memory. So in conditions where you need to override this behaviour you can always use "no bgp default rt filter".


HTH-Cheers,

Swaroop

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
gramucisco Mon, 11/26/2007 - 12:08
User Badges:

I think, you're right about route-target configuration. Once I configured import/export route targets for the vrf on PE (I do not know how I missed this basic config; I kind of overlooked), the VPN routes were accepted by PE.


However, the problem still exists for P routers. Since we do not configure route targets on 'P' routers (not VPN/VRF aware), I am wondering as to how we can configure P routers to accept VPNV4 routes.


The bottomline is that PE router has VPN routes, but it cannot send traffic through the Ps in the core.

Any help/suggestions?


swaroop.potdar Mon, 11/26/2007 - 12:17
User Badges:
  • Blue, 1500 points or more


This is the default behaviour of BGP for RT which you have not configured on the receiving BGP peers.

For eg: on PE1 if you have configured RT 1:1 to be exported and the same RT does not exist on other Vpnv4 BGP peers in terms of a import RT of 1:1 then

all the routes exported with RT 1:1 would be denied and can be seen as a part of debug ip bgp vpnv4 uni.


Also a P router in a MPLS cloud should not be having any IBGP peering with any, as it simply does not need one.

You Ipv4 internet traffic would also be label switched if you omit the ipv4 IBGP sessions off the P routers.


But if you have already implemented vpnv4 sessions on your P routers as well as a part of your design then you can configure this command on the P routers to accept and store all the RT's received.


router bgp x

no bgp default route-target filter



HTH-Cheers,

Swaroop

Hi,


This is the situation when u want Inter-AS kind of scenario i.e. when u want ur vpnv4 routes to be exported to another AS. This is as per my understanding a different case where there is no Inter-AS communication. Thus we do not require "no bgp default raoute-target filter" here.


Gramu - Can u pls copy P router configuration here.


Regards

Vikas Sharma

Correct Answer
swaroop.potdar Mon, 11/26/2007 - 22:42
User Badges:
  • Blue, 1500 points or more

Gramu, Vikas,


If your P router in question has anything to do with VPNv4 sessions or messages received then technically its not a P router but a PE router. Even though you may name it as a P router.


Also to troubleshoot your traffic switching problem, probably you may want to look at your LSP being functional for only the IGP labels, as P routers need not have any VPN information to switch traffic between PE's for end CE's. Just the IGP label for the next hop is enough.


Having said that, "no bgp default route-target filter" has nothing to do with inter-as, as none of the inter-as options except one option requires this command.


This command was introduced to nullify the basic BGP default in IOS which was introduced to conserve memory.


As any PE router which does have have a import RT configured should not store the received routes in the updates to conserve memory. So in conditions where you need to override this behaviour you can always use "no bgp default rt filter".


HTH-Cheers,

Swaroop

gramucisco Tue, 11/27/2007 - 14:33
User Badges:

Swaroop, Vikas: Thanks for the input.


Swaroop, What I understand from your email is:

1. iBGP mesh is required only among PEs


2. PEs and P routers should know how to reach the PEs (typically IGP is used to achieve this reachability). P router does not need to be aware of VPN routes at all since data path is through LSP.


I had reachability problem. Let me focus on debugging the LSP aspect and share my finding.


gramucisco Wed, 11/28/2007 - 08:44
User Badges:

The config works now! I had some routing problem, so the VRF reachability did not work earlier. I am posting the config below for anybody who likes to use it for basic VPN setup for practice. R1 & R6 are CEs, R2 & R5 are PEs and R3 & R4 are P routers.


R1

config terminal

hostname R1


interface fast 0/0

ip address 10.1.1.1 255.255.255.0

no shut

exit


interface loopback0

ip addr 1.1.1.1 255.255.255.255

no shut

exit


router rip

network 10.1.1.0

network 1.1.1.1

exit


ip route 0.0.0.0 0.0.0.0 10.1.1.2


exit

write mem



R2

config terminal

hostname R2


interface loopback0

ip addr 2.2.2.2 255.255.255.255

no shut

exit


ip vrf red

rd 1:1

route-target both 100:100

exit


interface fast 0/0

ip vrf forwarding red

ip address 10.1.1.2 255.255.255.0

no shut

exit


interface fast 0/1

ip address 20.1.1.1 255.255.255.0

no shut

mpls ip

mpls label protocol ldp

exit


mpls ip

mpls label protocol ldp


router rip

address-family ipv4 vrf red

network 10.1.1.0

exit

exit


router ospf 1

network 20.1.1.1 0.0.0.0 area 0

network 2.2.2.2 0.0.0.0 area 0

exit


router bgp 1

neighbor 5.5.5.5 remote-as 1

neighbor 5.5.5.5 update-source loopback0


address-family vpnv4

neighbor 5.5.5.5 activate

exit


address-family ipv4 vrf red

redistribute rip

no synchronization

exit-address-family


exit


exit

write mem


R3

config terminal

hostname R3


interface loopback0

ip addr 3.3.3.3 255.255.255.255

no shut

exit


interface fast 0/1

ip address 20.1.1.2 255.255.255.0

no shut

mpls ip

mpls label protocol ldp

exit


interface serial 0/0/1

ip address 30.1.1.1 255.255.255.0

encap hdlc

mpls ip

mpls label protocol ldp

no shut

exit


mpls ip

mpls label protocol ldp


router ospf 1

network 20.1.1.2 0.0.0.0 area 0

network 30.1.1.1 0.0.0.0 area 0

network 3.3.3.3 0.0.0.0 area 0

exit

exit

write mem


R4

config terminal

hostname R4


interface loopback0

ip addr 4.4.4.4 255.255.255.255

no shut

exit


interface serial 0/0/1

ip address 30.1.1.2 255.255.255.0

encap hdlc

mpls ip

mpls label protocol ldp

no shut

exit


interface fast 0/0

ip address 40.1.1.1 255.255.255.0

mpls ip

mpls label protocol ldp

no shut

exit


mpls ip

mpls label protocol ldp


router ospf 1

network 30.1.1.2 0.0.0.0 area 0

network 40.1.1.1 0.0.0.0 area 0

network 4.4.4.4 0.0.0.0 area 0

exit


exit

write mem


R5

config terminal

hostname R5


ip vrf red

rd 1:1

route-target both 100:100

exit


interface loopback0

ip addr 5.5.5.5 255.255.255.255

no shut

exit


interface fast 0/0

ip address 40.1.1.2 255.255.255.0

mpls ip

mpls label protocol ldp

no shut

exit


interface serial 0/0/1

ip vrf forwarding red

ip address 50.1.1.2 255.255.255.0

encap hdlc

no shut

exit


mpls ip

mpls label protocol ldp


router ospf 1

network 40.1.1.2 0.0.0.0 area 0

network 5.5.5.5 0.0.0.0 area 0

exit


router rip

address-family ipv4 vrf red

network 50.1.1.0

exit

exit


router bgp 1

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source loopback0


address-family vpnv4 unicast

neighbor 2.2.2.2 activate

exit


address-family ipv4 vrf red

redistribute rip

no synchronization

exit-address-family

exit


exit

write mem


R6

config terminal

hostname R6


interface serial 0/0/1

ip address 50.1.1.1 255.255.255.0

no shut

exit


interface loopback0

ip addr 6.6.6.6 255.255.255.255

no shut

exit


router rip

network 50.1.1.0

network 6.6.6.6

exit


ip route 0.0.0.0 0.0.0.0 50.1.1.2


exit

write mem



swaroop.potdar Sat, 12/01/2007 - 10:21
User Badges:
  • Blue, 1500 points or more

VPLS and L3VPN both are VPN's in terms of similarity rest all are differences, to list.


1) VPLS is a multipoint Layer 2 VPN. / L3VPN is a multipoint Layer 3 VPN.


2) VPLS doesnt use BGP but needs full mesh of LDP peering beetween the endpoints/ L3VPN needs BGP full mesh.


3) VPLS doesnt need for the CE to peer using any routing protocol with the PE / L3VPN needs a routing protocol or a static route at minimum to forward traffic to the remote end.


4) VPLS is a single broadcast domain / L3VPN is not and is infact a connection of multiple L3 islands.


For simplicity VPLS is a pure layer 2 VPN / and L3VPN as the name suggests is IP based VPN.


HTH-Cheers,

Swaroop


Actions

This Discussion